groovehq

SUSPICIOUS: The skill is mostly coherent with its stated GrooveHQ integration purpose, and the CLI install path appears to be the publisher's official npm distribution. The main concern is data-flow integrity: GrooveHQ authentication and API requests are routed through Membrane as an intermediary rather than directly to GrooveHQ, creating a moderate third-party trust and credential-handling risk. No clear malware or deceptive exfiltration behavior is shown, but the proxying model and broad mutation capability make it higher risk than a direct official API integration.